MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1566 Phishing
The PDF file contains a direct link to a ZIP archive hosted on Dropbox, masquerading as a business document. This heuristic, combined with the cloud document lure, strongly suggests a phishing attempt to trick users into downloading and executing a malicious payload. The embedded URL is the primary indicator of compromise.
Heuristics 3
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Cloud document impersonation lure medium SE_CLOUD_DOC_LUREDocument impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.dropbox.com/s/cym2723azwnb364/ADNOC%202020%20REQUEST%20FOR%20QUOTATION-REQUEST%20FOR%20TENDER%20CODE%2076384_pdf.zip?dl=0
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off00030a48.bin1cf912dd52051058d312318096237e7b07891414f6f373eaa6ae10538113dd93 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x30A48 | 567336 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.